• United States



Typing on floppy disks: The worst education failure I’ve seen

Mar 05, 20074 mins
Data and Information SecurityIT LeadershipPhysical Security

I spend a lot of time on planes (maybe too much – see last post). On a flight a couple of years ago I sat next to a guy and our conversation quickly turned to IT. Apparently he’d been hired as a systems administrator more than a decade earlier at a manufacturing company. During his first week, he noticed that there were no backup/recovery disks created for this one particular system that was running some pretty critical manufacturing equipment. He made a set of backup disks, which then amounted to ten 5 1/4 inch floppy disks (at a time when floppy disks were actually floppy). He took the disks to the company secretary and asked her to label them and put them in the fireproof safe.

Six months later, a power spike hits, the system gets fried and he has to bring another one online. He gets the disks, created six months prior, from the secretary and puts the first one in. He sees the two scariest words one could ever see as a system administrator: “MEDIA ERROR.”

The guy spends the next  three days rebuilding the system with no sleep and plenty of caffeine. After he’s done he makes another set of recovery disks, stumbles back into the secretary’s office and asks her once again to label the disks and put them in the fireproof safe. He makes his way over to her coffee machine, sips on a cup and starts to contemplate a career change. She can see he’s upset and decides to do what he asks right away.

What happened next was one of the most striking examples of education failure I’ve ever seen.

She reached into a drawer and pulled out a set of white adhesive labels. She then sticks one on the first of his disks. Next she takes the disk and SHOVES IT INTO THE TYPEWRITER. Crank, Crank, Crank, as it gets loaded and placed in the sights of the type head. Then…Whack, Whack, Whack as she stars to type the word “Backup” on the typewriter–obviously ruining the disk. His heart sinks as he realizes that every disk he’s ever given her has probably been ruined.

The interesting question here is: Was that her fault? I say no. She didn’t know how to properly handle floppy disks; this was maybe a decade ago (or more) and she’d had very little exposure to computers. She still typed letters by hand. Whenever she’d been given something thin enough to fit into a typewriter and asked to label and file it, this is the procedure that she followed.

The problem was that she was given a technology but not the knowledge to use it properly. It’s amazing how often these same things happen in IT today, and particularly in software development. Developers are asked to incorporate cryptography but have no idea what a salt or seed is. Auditors use source code scanners but have no idea what SQL Injection threats really are.

True advances in safety and security improve the experiences of all types of users. They can build “knowledge” into the product itself. A good example is the move from 5 1/4 floppy disks to the hard shell 3 1/2 inch disks. It’s much more obvious that a hard shell disk shouldn’t be bent or typed on. In addition the disks were generally more durable. As for magnets, submersion, heat and all manner of bad things that can happen, that’s still a knowledge issue.

 Many IT security products do little to teach you what they do; they instead do what designers thought you’d want them to do. Given that user needs can be so different and security can be so contextual, the security/safety education part of technology deployment should be as critical as the technology itself.

Dr. Herbert H. Thompson is chief security strategist at People Security ( and a world-renowned expert in application security. He has co-authored five books on the topic, including How to Break Software Security: Effective Techniques for Security Testing (with Dr. James Whittaker, Addison-Wesley, 2003), and the upcoming Protecting the Business: Software Security Compliance (to be published by John Wiley & Sons, 2007). In 2006, he was named one of the "Top 5 Most Influential Thinkers in IT Security" by SC Magazine. Dr. Thompson has written more than 60 academic and industrial articles and has delivered award-winning presentations and keynotes on software security throughout the world at conferences such as STAR, SD, RSA and Gartner. Email him at